in the README, the paper link points to the SNARK paper. Shouldn't it be Pairing-Friendly Elliptic Curves of Prime Order?

Good catch, the link should be [BCTV14] which explains that the curve instantiation we use is tailored for use in SNARKs. (We pick a special group order for efficiency purposes.) We also use some other optimizations that are cited in the paper. The BN paper you mention is the foundation of the construction, though.

I'm sorry if these papers lead you down a rabbit hole of confusing citations, I can try my best to clear things up for you or ask the cryptographers on our team for more information.

Note that this library implements what is provided by the ate-pairing library and is based on a (simpler) implementation our cryptographers implemented in libsnark.

I updated the README to point to the current best description of our curve and optimizations, though it's not incredibly formal or detailed.